325
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 10 Jul 2023
325 points (98.5% liked)
Android
17361 readers
395 users here now
The new home of /r/Android on Lemmy and the Fediverse!
Android news, reviews, tips, and discussions about rooting, tutorials, and apps.
🔗Universal Link: !android@lemdro.id
💡Content Philosophy:
Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.
Support, technical, or app related questions belong in: !askandroid@lemdro.id
For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id
📰Our communities below
Rules
-
Stay on topic: All posts should be related to the Android OS or ecosystem.
-
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
-
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
-
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
-
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
-
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
-
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
-
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
-
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
-
No affiliate links: Posting affiliate links is not allowed.
Quick Links
Our Communities
- !askandroid@lemdro.id
- !androidmemes@lemdro.id
- !techkit@lemdro.id
- !google@lemdro.id
- !nothing@lemdro.id
- !googlepixel@lemdro.id
- !xiaomi@lemdro.id
- !sony@lemdro.id
- !samsung@lemdro.id
- !galaxywatch@lemdro.id
- !oneplus@lemdro.id
- !motorola@lemdro.id
- !meta@lemdro.id
- !apple@lemdro.id
- !microsoft@lemdro.id
- !chatgpt@lemdro.id
- !bing@lemdro.id
- !reddit@lemdro.id
Lemmy App List
Chat and More
founded 1 year ago
MODERATORS
Some information I have posted to Lemmy.World:
I have seen multiple posts by these people during the attack. It is most certainly related to JS.
If it's
onloadthen simply viewing the image runs that script. Yikes.That's even worse, if Lemmy has a vulnerability like that it needs to get fixed ASAP... Also if that code actually works, I am going to have to secure my account.
I'd wager you're likely fine if you're using a mobile app when the affected image loads. Also, it appears they're stealing auth tokens.. not passwords or anything. At worst they could impersonate you until your token expires.. but you're not a high value target unless you're an admin of an instance.
I used Firefox... So I definitely reset my password. Thing is I do not see an option for Lemmy where you can "sign out everywhere" which is the counter to Auth token stealing.
So I had to change it so that the Auth token would expire. Whilst I am not an admin I won't take the chance. It could compromise other users and I do not want to take that risk.
Apparently the fix for the vulnerability signs everyone out.
the thing is right now lemmy by defaultNEVER expires the tokens... oops. Right now servers are manually expiring all their user's tokens by changing the secret in the database because of this attack.
Oops indeed. Lemmy needs a security audit 😬
lmao I'm so stupid I pressed on that image and now my account is compromised. oh well it forced to create another and this is my first hack yayyyyy!
Clicking the image isn't the issue, scrolling by it will nab your Auth tokens. Resetting your password will reset the Auth tokens protecting your account. A sign out everywhere button would fix it but that isn't an option yet. It really needs to be.
There's so many things wrong with this I don't even know where to start
Wtf how is this even possible? Are the Lemmy devs smoking crack? If you're going to run a reddit alternative, it may be wise to sanitize the fuck out of everything posted on there.
Please feel free to perform a full security audit.
You are free to open a PR
Not really helpful though is it? It's like going to a friend's house and asking why there is a sink hole in the middle of the floor that everyone is walking around, and they say "feel free get a hammer out".
It's more like when everyone is looking at the previously unknown hole and discussing how to patch it up and you start yelling how it is unacceptable as your friend's house is a "bar alternative"
Honestly I think you're all right. This is such a basic vulnerability it should never existed... AND I told you so's and bitching don't help.
Little Bobby Tables strikes again
Now seriously, people forget that Lemmy is alpha software, and Kbin is even younger
People have said the platform is years old, but it didn't really get tested until June. I wouldn't be surprised if more issues like this are found.
well Reddit was hacked so lemmy is still on track
¯_(ツ)_/¯ Lemmy.
the threadiverse wasn’t exactly popular until the reddit exodus
id probably flip it: are lemmy users smoking crack? if you’re going to run to a reddit alternative, it’d be wise not to choose alpha software!